vmware-carbon-black and App-ID

ewashing3 — Fri, 07 Jan 2022 01:28:36 GMT

I've run into an issue with regard to deploying VMWare Carbon Black within my environment. There are a subset of endpoints that have never connected to the Internet directly and use proxy allowances for Windows Updates, etc. I have requested that the ports and URLs that VMWare Carbon Black uses have allowances so that can register successfully from my environment. For the most part, a majority of the endpoints are able to install the sensor(s) without any issues, however I am getting cert errors for the sensors that fail to register. I've verified that certs in question (GoDaddy) are present in both of the cert stores on the proxy (Palo Alto) and the endpoints After digging a bit, I think the issue for this subset of endpoints failing to install the sensors is due to the policy group that is being applied. I don't see any settings/configuration s for the App-ID specifically for vmware-carbon-black which seems to be tagged as web-browsing and ssl.

Has anyone come across this scenario before in which the method of applying trusts, etc. using ports and urls still fail? If so, were those issues able to be resolved by using App-ID instead?

Re: vmware-carbon-black and App-ID

LAYER_8 — Fri, 01 Dec 2023 02:39:33 GMT

Some vendors use cert-pinning to detect decryption between connections, EDR/XDR are starting to do this more. You will need to write an exclusion for the domains, if that is what they are doing as that could likely be breaking this. If you look at the exclusion list in your firewall you'll see a whole number of cert-pinning services (okta, etc)

topic Re: vmware-carbon-black and App-ID in General Topics

vmware-carbon-black and App-ID

Re: vmware-carbon-black and App-ID